views:

33

answers:

2

I have a need to be able to identify one system from another in ASP.Net using anything available in HttpContext. I've attempted to use many of the ServerVariables available, but often the systems are configured from a drive built off of an image. So, because of the firewall their IP address is the same and all of their ServerVariables (browseragent, logonuser) are the same, I need to find something else that will tell different machines apart. Since the site is secured with formsauthentication, Windows Integrated Authentication must be turned off (otherwise i'd have access to different Logon_User values).

I'm not married to HttpContext, but it seems to me the only way to use code to retrieve identifiable user information.

EDIT/UPDATE:

@Robert Harvey provided a couple of seach links that brought up a lot of results, most of which don't fit my bill for one reason or another (although there is still a couple of great ideas in there that I hadn't thought of before). Primarily I need to be able to identify if someone has switched machines behind a firewall. So I'll provide some code structure details that will shed some light on why certain things don't work for me.

  1. Sessions/Cookies are persistent until midnight (decision made way over my head, I live with it)
  2. The authenticated user does not use a MembershipUser class. (even if it did, MembershipUser.IsOnline would offer me nothing more than a previously logged in user)
  3. Users are known to delete cookies or close browsers without logging off
  4. I need some criteria that can tell one machine from another not necessarily to prevent concurrent logins, but at least to identify them.
A: 

Generate a guid when they login and store it in a cookie and against the user record in the database.

Compare this on each request if it doesnt match you have a concurrent login.

To be clear this cookie is a session cookie like forms authentication if they delete it they will get logged out anyway.

bleevo
@bleevo - This doesn't address the identification of the machine itself. This solution would treat each login as a separate machine login. My question specifically requires that the machine be identified.
Joel Etherton
If the users are behind NAT this is impossible, to achieve what you are asking would have to also work if users used different browsers.Interesting question I will think more.
bleevo
If you could simplify the problem some I could help, if you only want to track the same machine, same login, same browser this can be done.Just have a page that returns a guid and set the caching of this page to a year, again this isnt much different to a cookie but it would persist until the user deleted their cache.Apart from that or the same thing using a cookie what you are asking is impossible.
bleevo
A: 

This is a self-answer. I ran across Browser Spy, and while it doesn't address the specifics of how to do this, it does indicate that it is possible through a combination of these items to uniquely identify a specific system with a minimal margin of error.

Joel Etherton